I am a Software Engineer currently and have done quite a bit of systems work as well. I love the idea of Penetration Testing and would love to work towards becoming a pentester/Certified Ethical Hacker. My question is: what are some ways one can learn basic skills in this field while remaining ethical/legal?

Self-teaching programming was an easier task for me--I could learn a language by building small applications, scripts, etc. I learned Linux by installing it on my personal computer and hacking around on it. Pentesting however requires a machine to test, which can quickly become a legal issue. I can certainly create a small application with known security issues that I can pentest myself, but that would take away from the aspect of actually finding the bug.

My main questions then are:

What ways can an aspiring pentester/CEH get hands-on learning experience without turning to black-hat hacking?

I have heard of sites that are online that are "designed to be hacked" and are practice for hackers. Are these legal/useful?

Is it worthwhile/ethical to offer free or low-cost pentesting services to improve skills? (Another great way to learn programming, sounds totally sketchy though to offer free hacking! ;) )

I an in transit so can't easily point you at the best ones, but we have questions covering this topic here, with links to good online testing practice sites. Quick answer 1- it's easy. Loads of resources. 2 - yes. 3 - don't do this, really easy way to end up in real trouble!
–
Rory Alsop♦Nov 21 '13 at 17:47

1

I'd stay away from CEH. Its well known to industry insiders as being one of the shallowest and most laughable courses/qualifications in industry. Its often seen on job requirements but only for companies who don't really understand what they want. OSCP is far better. If you're in the UK CREST is the best to go for. Take all qualifications with a grain of salt though, there is no substitute for experience gained alongside quality testers in a reputable company.
–
sillyMunkyDec 9 '14 at 21:26

2

@sillyMunky Funny you say that. I wrote this post 1 year ago and I'm currently pursuing an OSCP. I chose against the CEH because OSCP was much more hands-on.
–
cehprogrammerDec 9 '14 at 21:38

3 Answers
3

There are many "boot to root" and "vulnerable by design" challenges you can have a go at completely legally. You'll need some VM software, and make sure you set the network settings on it so that the machine can only be seen from your internal network!

Holynix is another (I can't link more than 2 due to new account here).

If you search for g0tmi1k's blog, he has the solutions up for most of these - don't look even if you get stuck in my opinion. Just use them to work out how you could have done it faster/better afterwards.

My most imporant advice is to be curious. If something doesn't work, find out why it doesn't work. If something works, find out why it works. Have a look at talks from

CCC

Brucon

Defcon

hack.lu

See what people are talking about, what are the new technologies, think about how these could be abused.

You don't become blackhat by hacking, you become blackhat by hacking stuff which you aren't allowed to. As long as you do not start experimenting on other people's infrastructure you should be good.

Build your own lab, set up a few virtual machines. Get some routers, build a network. Having your own closed environment will first of all learn you how things are set up and where people tend to cut corners on security. You can then try to exploit on your own network.

Virtual machines will be your friends. With them you can load up various operating systems, and learn to attack them from outside. Install a copy of Windows XP SP2 on one for an easy target for metasploit. Also, check out Damn Vulnerable Linux, which was designed to be hackable (I see that it may no longer be supported.)

There are many books on studying for the Certified Ethical Hacker exams, all of which help teach pen testing, and some come with practice challenges.

You're right to avoid hacking other systems without permission. Fortunately, it's easy enough to host your own that you shouldn't have to do that.

Other resources that might be available to you are a local DEFCON group, or an OWASP chapter. If you can't get to BlackHat or DEFCON, attend some cheaper regional security conferences such as Secure360. Get to know some people who do pen-testing and you can learn a lot from them quickly. Ultimately, once you've demonstrated some skills, they might also be able to direct some work your way. You don't have to do this alone.